#!/bin/sh
export LD_LIBRARY_PATH=:/usr/local/tassl/lib:/opt/sis-sslvpn/lib/tassl/x86_64/lib
OPENSSL_DIR=/opt/sis-sslvpn/lib/tassl/x86_64

KEY_INDEX="false"
ISSUE_CRT="false"
RSA="false"

# pick up any command line args
for i
do
case "$i" in
--key_index*)
    KEY_INDEX="true";;
--issue_crt*)
    ISSUE_CRT="true";;
--rsa*)
    RSA="true";;
*)
    echo "unknow options"
    exit;;
esac
done

RM=/bin/rm
MKDIR=/bin/mkdir

CERTS_DIR=./certs

$RM -rf $CERTS_DIR
$MKDIR -p $CERTS_DIR

OPENSSL_CNF=${OPENSSL_DIR}/tassl_demo/cert/openssl.cnf

CA_EXT=v3_ca
SIGN_EXT=v3_req
ENC_EXT=v3enc_req

if [ "$RSA" = "true" ]; then
    ENGINE=tasshsm_rsa
    ALGORITHM=--RSA
else
    ENGINE=tasshsm_sm2
    ALGORITHM=--SM2
fi

TEST_CA_DN="/C=CN/ST=BJ/L=HaiDian/O=JNTA/OU=BSRC of TASS/CN=CA_commoname/"
TEST_SIGN_DN="/C=CN/ST=BJ/L=HaiDian/O=JNTA/OU=BSRC of TASS/CN=S_sign_commoname/"
TEST_ENC_DN="/C=CN/ST=BJ/L=HaiDian/O=JNTA/OU=BSRC of TASS/CN=S_enc_commoname/"


if [ "$RSA" = "true" ]; then
    TEST_CA_KEY=${CERTS_DIR}/CA.key
    if [ "$KEY_INDEX" = "true" ]; then
	    TEST_SIGN_KEY=20
    else
	    TEST_SIGN_KEY=${CERTS_DIR}/SS_RSA_HSM.key
    fi

    TEST_CA_CSR=${CERTS_DIR}/CA.csr
    TEST_SIGN_CSR=${CERTS_DIR}/SS_RSA_HSM.csr

    TEST_CA_CRT=${CERTS_DIR}/CA.crt
    TEST_SIGN_CRT=${CERTS_DIR}/SS_RSA_HSM.crt
else
    TEST_CA_KEY=${CERTS_DIR}/CA.key
    if [ "$KEY_INDEX" = "true" ]; then
	    TEST_SIGN_KEY=20
	    TEST_ENC_KEY=21
    else
	    TEST_SIGN_KEY=${CERTS_DIR}/SS_SM2_HSM.key
	    TEST_ENC_KEY=${CERTS_DIR}/SE_SM2_HSM.key
    fi

    TEST_CA_CSR=${CERTS_DIR}/CA.csr
    TEST_SIGN_CSR=${CERTS_DIR}/SS_SM2_HSM.csr
    TEST_ENC_CSR=${CERTS_DIR}/SE_SM2_HSM.csr

    TEST_CA_CRT=${CERTS_DIR}/CA.crt
    TEST_SIGN_CRT=${CERTS_DIR}/SS_SM2_HSM.crt
    TEST_ENC_CRT=${CERTS_DIR}/SE_SM2_HSM.crt
fi

# Generating a CA key/certificate involves the following main steps
# 1. Generating key
# 2. Generating a certificate request
# 3. Signing the certificate request
if [ "$ISSUE_CRT" = "true" ]; then
    ./engine_util --GenKey $ALGORITHM -key $TEST_CA_KEY

    ./engine_util --SignCSR $ALGORITHM -key $TEST_CA_KEY -csr $TEST_CA_CSR -dn "$TEST_CA_DN"

    ./engine_util --SignCRT $ALGORITHM -csr $TEST_CA_CSR -crt $TEST_CA_CRT -ca_key $TEST_CA_KEY -extfile $OPENSSL_CNF -ext $CA_EXT
fi

# Generating a sign key/certificate involves the following main steps
# 1. Generating key(by hsm)
# 2. Generating a certificate request(signed by hsm)
# 3. Signing the certificate request
./engine_util --GenKey $ALGORITHM -key $TEST_SIGN_KEY -engine $ENGINE

./engine_util --SignCSR $ALGORITHM -key $TEST_SIGN_KEY -csr $TEST_SIGN_CSR -dn "$TEST_SIGN_DN" -engine $ENGINE

if [ "$ISSUE_CRT" = "true" ]; then
    ./engine_util --SignCRT $ALGORITHM -csr $TEST_SIGN_CSR -crt $TEST_SIGN_CRT -ca $TEST_CA_CRT -ca_key $TEST_CA_KEY -extfile $OPENSSL_CNF -ext $SIGN_EXT
fi

# Generating an enc key/certificate involves the following main steps
# 1. Generating key(by hsm)
# 2. Generating a certificate request(signed by hsm)
# 3. Signing the certificate request
if [ "$ISSUE_CRT" = "true" ] && [ "$RSA" = "false" ]; then
    ./engine_util --GenKey $ALGORITHM -key $TEST_ENC_KEY -engine $ENGINE

    ./engine_util --SignCSR $ALGORITHM -key $TEST_ENC_KEY -csr $TEST_ENC_CSR -dn "$TEST_ENC_DN" -engine $ENGINE

    ./engine_util --SignCRT $ALGORITHM -csr $TEST_ENC_CSR -crt $TEST_ENC_CRT -ca $TEST_CA_CRT -ca_key $TEST_CA_KEY -extfile $OPENSSL_CNF -ext $ENC_EXT
fi

